Summary

This module provides for flexible logging of client
requests. Logs are written in a customizable format, and may be
written directly to a file, or to an external program.
Conditional logging is provided so that individual requests may
be included or excluded from the logs based on characteristics
of the request.

Three directives are provided by this module:
TransferLog to create a log file,
LogFormat to set a custom format, and
CustomLog to define a log file and format in one
step. The TransferLog and CustomLog
directives can be used multiple times in each server to cause
each request to be logged to multiple files.

Directives

The format argument to the LogFormat and
CustomLog directives is a string. This string is
used to log each request to the log file. It can contain literal
characters copied into the log files and the C-style control
characters "\n" and "\t" to represent new-lines and tabs.
Literal quotes and back-slashes should be escaped with
back-slashes.

The characteristics of the request itself are logged by
placing "%" directives in the format string, which are
replaced in the log entry by the values as follows:

%...a: Remote IP-address
%...A: Local IP-address
%...B: Bytes sent, excluding HTTP headers.
%...b: Bytes sent, excluding HTTP headers. In CLF format
i.e. a '-' rather than a 0 when no bytes are sent.
%...c: Connection status when response was completed.
'X' = connection aborted before the response completed.
'+' = connection may be kept alive after the response is sent.
'-' = connection will be closed after the response is sent.
%...{FOOBAR}e: The contents of the environment variable FOOBAR
%...f: Filename
%...h: Remote host
%...H The request protocol
%...{Foobar}i: The contents of Foobar: header line(s) in the request
sent to the server.
%...l: Remote logname (from identd, if supplied)
%...m The request method
%...{Foobar}n: The contents of note "Foobar" from another module.
%...{Foobar}o: The contents of Foobar: header line(s) in the reply.
%...p: The canonical Port of the server serving the request
%...P: The process ID of the child that serviced the request.
%...q The query string (prepended with a ? if a query string exists,
otherwise an empty string)
%...r: First line of request
%...s: Status. For requests that got internally redirected, this is
the status of the *original* request --- %...>s for the last.
%...t: Time, in common log format time format (standard english format)
%...{format}t: The time, in the form given by format, which should
be in strftime(3) format. (potentially localized)
%...T: The time taken to serve the request, in seconds.
%...u: Remote user (from auth; may be bogus if return status (%s) is 401)
%...U: The URL path requested, not including any query string.
%...v: The canonical ServerName of the server serving the request.
%...V: The server name according to the UseCanonicalName setting.

The "..." can be nothing at all (e.g., "%h %u
%r %s %b"), or it can indicate conditions for inclusion
of the item (which will cause it to be replaced with "-" if the
condition is not met). The forms of condition are a list of
HTTP status codes, which may or may not be preceded by "!".
Thus, "%400,501{User-agent}i" logs User-agent: on 400 errors
and 501 errors (Bad Request, Not Implemented) only;
"%!200,304,302{Referer}i" logs Referer: on all requests which
did not return some sort of normal status.

Note that in versions previous to 1.3.25 no escaping was performed
on the strings from %...r, %...i and
%...o. This was mainly to comply with the requirements of
the Common Log Format. This implied that clients could insert control
characters into the log, so you had to be quite careful when dealing
with raw log files.

For security reasons starting with 1.3.25 non-printable and
other special characters are escaped mostly by using
\xhh sequences, where hh stands for
the hexadecimal representation of the raw byte. Exceptions from this
rule are " and \ which are escaped by prepending
a backslash, and all whitespace characters that are written in their
C-style notation (\n, \t, etc).

Some commonly used log format strings are:

Common Log Format (CLF)

"%h %l %u %t \"%r\" %>s %b"

Common Log Format with Virtual Host

"%v %h %l %u %t \"%r\" %>s %b"

NCSA extended/combined log format

"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-agent}i\""

Referer log format

"%{Referer}i -> %U"

Agent (Browser) log format

"%{User-agent}i"

Note that the canonical ServerName and Port of the server serving the
request are used for %v and %p
respectively. This happens regardless of the UseCanonicalName setting
because otherwise log analysis programs would have to duplicate
the entire vhost matching algorithm in order to decide what
host really served the request.

Security Considerations

See the security tips
document for details on why your security could be compromised
if the directory where logfiles are stored is writable by
anyone other than the user that starts the server.

Compatibility notes

This module is based on mod_log_config distributed with
previous Apache releases, now updated to handle multiple
logs. There is now no need to rebuild Apache to change
configuration log formats.

The module also implements the CookieLog
directive, used to log user-tracking information created by
mod_usertrack. The use of
CookieLog is deprecated, and a
CustomLog should be defined to log user-tracking
information instead.

As of Apache 1.3.5, this module allows conditional
logging based upon the setting of environment variables. That is, you
can control whether a request should be logged or not based
upon whether an arbitrary environment variable is defined or
not. This is configurable on a per-logfile
basis.

Beginning with Apache 1.3.5, the mod_log_config module
has also subsumed the RefererIgnore
functionality from mod_log_referer. The effect
of RefererIgnore can be achieved by combinations
of SetEnvIf
directives and conditional CustomLog
definitions.

The pipe character "|", followed by the path
to a program to receive the log information on its standard
input. Security: if a program is used, then
it will be run as the user who started httpd. This will be
root if the server was started by root; be sure that the
program is secure.

The second argument specifies what will be written to the
log file. It can specify either a nickname defined by
a previous LogFormat directive, or it
can be an explicit format string as described in the
log formats section.

For example, the following two sets of directives have
exactly the same effect:

The third argument is optional and controls
whether or not to log a particular request based on the
presence or absence of a particular variable in the server
environment. If the specified environment
variable is set for the request (or is not set, in the case
of a 'env=!name' clause), then the
request will be logged.

Environment variables can be set on a per-request
basis using the mod_setenvif
and/or mod_rewrite modules. For
example, if you want to record requests for all GIF
images on your server in a separate logfile but not in your main
log, you can use:

The LogFormat directive can take one of two
forms. In the first form, where only one argument is specified,
this directive sets the log format which will be used by logs
specified in subsequent TransferLog
directives. The single argument can specify an explicit
format as discussed in the custom log
formats section above. Alternatively, it can use a
nickname to refer to a log format defined in a
previous LogFormat directive as described
below.

The second form of the LogFormat directive
associates an explicit format with a
nickname. This nickname can then be used in
subsequent LogFormat or CustomLog directives rather than
repeating the entire format string. A LogFormat
directive which defines a nickname does nothing
else -- that is, it only defines the
nickname, it doesn't actually apply the format and make it the
default. Therefore, it will not affect subsequent TransferLog directives.

This directive has exactly the same arguments and effect as
the CustomLog directive, with the
exception that it does not allow the log format to be specified
explicitly or for conditional logging of requests. Instead, the
log format is determined by the most recently specified LogFormat directive that does not define
a nickname. Common Log Format is used if no other format has
been specified.